forked from Bos55/nix-config
Tibo De Peuter
1c437333f3
Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.
64 lines
1.6 KiB
Nix
64 lines
1.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.homelab.users.deploy;
|
|
in {
|
|
options.homelab.users.deploy = {
|
|
enable = lib.mkEnableOption "user Deploy";
|
|
|
|
authorizedKeys = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [];
|
|
description = ''
|
|
Additional SSH public keys authorized for the deploy user.
|
|
The CI runner key should be provided as a base key; personal
|
|
workstation keys can be appended here per host or globally.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users = {
|
|
groups.deploy = { };
|
|
|
|
# The user used to deploy rebuilds without password authentication
|
|
users.deploy = {
|
|
group = config.users.groups.deploy.name;
|
|
isSystemUser = true;
|
|
home = "/var/empty";
|
|
shell = pkgs.bashInteractive;
|
|
openssh.authorizedKeys.keyFiles = [
|
|
config.sops.secrets.user_keys_deploy.path
|
|
];
|
|
};
|
|
};
|
|
|
|
# Allow the deploy user to push closures to the nix store
|
|
nix.settings.trusted-users = [ "deploy" ];
|
|
|
|
security.sudo.extraRules = [
|
|
{
|
|
groups = [
|
|
config.users.groups.deploy.name
|
|
];
|
|
commands = [
|
|
{
|
|
command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
{
|
|
groups = [
|
|
config.users.groups.deploy.name
|
|
];
|
|
commands = [
|
|
{
|
|
command = "/nix/store/*/bin/switch-to-configuration";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
}
|